smb share is not writeable even with 777 permissions and umask 777

Question

smb share is not writeable even with 777 permissions and umask 777

I've been working on this for a few days (5) and come to an impasse.

A Mac mini server sharing two volumes: PlexMedia_1, PlexMedia_2

I can use the mv command to move files between both network shares while on the client, but an application I use, FileBot, is not able to move files between those two volumes.

It gets a permissions error:

MOVE: Access Denied: /Volumes/PlexServer_2 (rwxr-xr-x 0:0 Volumes)

The successful mv command:

at iMacEth ~ logfile=$$.log                                                                                                                
at iMacEth ~ mv /Volumes/PlexMedia_1/Plex/pTemp/Panorama.2023.10.23.At.War.Crisis.in.the.Middle.East  /Volumes/PlexMedia_2/Plex/pTemp > $logfile 2>&1

The log file is zero bytes/empty, and the file is moved without issue because I am owner... I guess.

Additional info

I changed mask settings on the server for these SharePoints using Directory Utility.app

dsAttrTypeNative:smb_createmask 777

was 644

dsAttrTypeNative:smb_directorymask 777

was 755

permissions on both volumes

john@Mac-mini ~ % ls -ale /Volumes/PlexMedia_1 
total 64
drwxrwxrwx@  10 john  staff    408 Oct 26 20:42 .
drwxr-xr-x    9 root  wheel    288 Oct 26 20:32 ..
drwxrwxrwx    9 john  staff    306 Oct 26 20:26 Plex

john@Mac-mini ~ % ls -ale /Volumes/PlexMedia_2 
total 32
drwxrwxrwx@ 10 john  staff    408 Oct 26 20:43 .
drwxr-xr-x   9 root  wheel    288 Oct 26 20:32 ..
drwxrwxrwx   5 john  staff    170 Oct 26 20:14 Plex

Still, on the client/iMac when creating a new folder its permissions end up like so:

20:24:52.596 at iMacEth ~ ls -ale /Volumes/PlexMedia_1/untitled\ folder 
total 64
drwxr-xr-x  1 john  staff  16384 Oct 26 20:48 .
drwxrwxrwx@ 1 john  staff  16384 Oct 26 20:48 ..

I think I want them to be like so... would this allow the application to move files?

20:24:52.596 at iMacEth ~ ls -ale /Volumes/PlexMedia_1/untitled\ folder 
total 64
drwxrwxrwx  1 john  staff  16384 Oct 26 20:48 .
drwxrwxrwx@ 1 john  staff  16384 Oct 26 20:48 ..

Guest access is on for both volumes. I have connected to the server using Go-> Connect to server...

smb://guest@mac-mini.local

smb://john@mac-mini.local

smb://192.168.5.1

I have tried using the mount command but authentication constantly fails:

at iMacEth ~ mount -v -t smbfs -o nosuid,-d=777 //john@192.168.10.143  /Users/john/Volumes
Password for 192.168.10.143: 
mount_smbfs: server rejected the connection: Authentication error
mount: /Users/john/Volumes failed with 77

at iMacEth ~ mount -v -t smbfs -o nosuid,-d=777 //192.168.10.143  /Users/john/Volumes     
Password for 192.168.10.143: 
mount_smbfs: server rejected the connection: Authentication error
mount: /Users/john/Volumes failed with 77

at iMacEth ~ mount -v -t smbfs -o nosuid,-d=777 //guest@192.168.10.143  /Users/john/Volumes
mount_smbfs: mount error: /Users/john/Volumes: No such file or directory
mount: /Users/john/Volumes failed with 64

Is there an ACL that is required that I am missing?

😩

iMac 27″, macOS 14.1

Posted on Oct 26, 2023 7:14 PM

Reply

Answer 1

Top-ranking reply

johnnyjackhammer Author

Level 1

78 points

Oct 27, 2023 9:08 AM in response to etresoft

Thanks

etresoft wrote:

DS_Store files have nothing to do with permissions.

OK, can you explain what function the contents "0083;653b16ff;com.apple.smbd;" have? When I removed them, and they were rebuilt by the Finder, .DS_Store no longer contained those xattr values.

PS: And if you've been hacking around on various permission, you'll have to undo everything you did. That's a great way to make your file server non-functional.

This is not helpful.

[Edited by Moderator]

How to connect with this moderator? You erased the following lines which are integral to the post. Why?

I am looking at umask because it appears this application doesn't have the privileges it should. I don't know why or how but it doesn't

It does have full disk access. Looking in /private/var/db/com.apple.xpc.launchdthis application is not listed.

Set a custom umask in macOS - Apple Support

Reply

Answer 2

etresoft

Level 9

50,962 points

Oct 27, 2023 9:23 AM in response to johnnyjackhammer

johnnyjackhammer wrote:

OK, can you explain what function the contents "0083;653b16ff;com.apple.smbd;" have? When I removed them, and they were rebuilt by the Finder, they no longer contained those xattr's

It never contained any xattrs to begin with. The DS_Store file is, and always has been, undocumented. However, it is widely known to display the Finder view preferences, like the positions of icons. Normally this causes problems in a server context because different people have different preferred views. Plus, the Finder was never designed for multiple people writing to this file at the same time. However, all of that is irrelevant to your question, which is what I was trying to explain.

PS: And if you've been hacking around on various permission, you'll have to undo everything you did. That's a great way to make your file server non-functional.

This is not helpful.

I disagree. You could easily get off on some crazy tangent based on what you read on the internet and start making all kinds of changes. Then, once you find the solution an implement it, it still won't work because you've broken it in some other way.

I am looking at umask because it appears this application doesn't have the privileges it should. I don't know why or how but it doesn't

It does have full disk access.

Maybe not. The only "FileBot" I can find is some media piracy app. It's written in Java. These kinds of apps can be very difficult to configure with Full Disk Access. There are 4 different executables in the bundle, and 3 dynamic libraries thrown in for good measure. Which of these needs Full Disk Access? Does the Apple security system even support this app?

I recommend you contact the developer. It simply may not work with a network volume. Or if it does, there may be a special kind of configuration you need.

Looking in /private/var/db/com.apple.xpc.launchdthis application is not listed.

Set a custom umask in macOS - Apple Support

You're not going to fix this by hacking around on permissions.

I recommend you try to reconfigure your setup using only paths on the local hard drive. Confirm that works. Then try the network paths. If that fails, then you know exactly why.

I'm not sure what value this FileBot app is supposed to bring. Are you trying to automate something? You seem familiar with the Terminal. Why not just write your own shell script?

The permissions model on modern macOS is completely unlike other systems. Things like umask will work only in very specific circumstances. This is not one of them. Getting 3rd party apps to directly manipulate any protected path, such as a network path, is going to be a challenge. Plus, this Java indirection is going to complicate matters. It may not be possible at all. The TCC subsystem behind Full Disk Access is very picky about executables bundled inside apps. It can be made to work. I've done it, but it's tricky. Doing it from Java? Not my idea of a good time.

Reply

Answer 3

Oct 26, 2023 9:12 PM in response to MrHoffman

23:04:50.580 at iMacEth /Volumes/PlexMedia_1 ls -ale@ 
total 224
drwxrwxrwx@ 1 john  staff  16384 Oct 26 21:04 .
	com.apple.provenance	   11 
drwxr-xr-x  8 root  wheel    256 Oct 26 22:38 ..
-rwxrwxrwx@ 1 john  staff  10244 Oct 26 22:49 .DS_Store
	com.apple.FinderInfo	   32 
	com.apple.provenance	   11 
	com.apple.quarantine	   29 
drwxrwxrwx  1 john  staff  16384 Oct 25 14:58 .Spotlight-V100
drwxrwxrwx@ 1 john  staff  16384 May  5 16:17 .Trashes
	com.apple.provenance	   11 
-rw-r--r--  1 john  staff      0 Oct 26 20:42 .com.apple.timemachine.supported
drwxrwxrwx  1 john  staff  16384 Oct 26 20:41 .fseventsd
drwxrwxrwx  1 john  staff  16384 Oct 26 20:26 Plex

23:06:02.269 at iMacEth /Volumes/PlexMedia_2 ls -ale@               
total 192
drwxrwxrwx@ 1 john  staff  16384 Oct 26 20:43 .
	com.apple.provenance	   11 
drwxr-xr-x  8 root  wheel    256 Oct 26 22:38 ..
-rwxrwxrwx@ 1 john  staff  10244 Oct 26 22:57 .DS_Store
	com.apple.FinderInfo	   32 
	com.apple.provenance	   11 
	com.apple.quarantine	   29 
drwxrwxrwx  1 john  staff  16384 Oct 25 14:58 .Spotlight-V100
drwxrwxrwx@ 1 john  staff  16384 Oct 26 19:24 .Trashes
	com.apple.provenance	   11 
-rw-r--r--  1 john  staff      0 Oct 26 20:43 .com.apple.timemachine.supported
drwxrwxrwx  1 john  staff  16384 Oct 26 20:42 .fseventsd
drwxrwxrwx  1 john  staff  16384 Oct 26 22:43 Plex

and...

23:06:06.705 at iMacEth /Volumes/PlexMedia_2 xattr -p com.apple.quarantine .DS_Store
0083;653b16ff;com.apple.smbd;

23:10:48.781 at iMacEth /Volumes/PlexMedia_1 xattr -p com.apple.quarantine .DS_Store
0081;653b1755;com.apple.smbd;

What is going on with com.apple.smdb on this list?

Reply

Answer 4

etresoft

Level 9

50,962 points

Oct 27, 2023 6:44 AM in response to johnnyjackhammer

johnnyjackhammer wrote:

It appears .DS_Store holds information on the permissions I added to the mounted volume while it was mounted. Removing it caused the permissions to change (for the worse) on the next mount.

DS_Store files have nothing to do with permissions.

Try giving Full Disk Access to your FileBot app.

PS: And if you've been hacking around on various permission, you'll have to undo everything you did. That's a great way to make your file server non-functional.

Reply

Answer 5

Oct 27, 2023 9:37 AM in response to etresoft

You are misinformed, FileBot is not a media piracy app, it's a file renaming tool and it's in the Apple App Store - signed with an Apple Developer Certificate.

This server has had its software re-installed in Recovery mode and it's made no difference. So "reversing everything I've done" is mute.

I am leaning towards the Security settings on the Mac mini and the iMac, SIP. However a user should be allowed to override these settings using the commands available. It could also be something addressable using Directory Utility but that is really beyond my ability today.

@etresoft I do appreciate your efforts but the way you've addressed me is inflammatory. I am not clear on how moderators allow such insinuations and inflammatory responses from top contributors and leave their posts unmoderated.

Reply

Answer 6

etresoft

Level 9

50,962 points

Oct 27, 2023 10:09 AM in response to johnnyjackhammer

johnnyjackhammer wrote:

You are misinformed, FileBot is not a media piracy app

Of course it is. 😄

it's a file renaming tool and it's in the Apple App Store

There are lots of piracy apps in the App Store that have been skinned into a "PG-rated" version to help present an aura of respectability. Oldest trick in the book. This strategy goes way beyond software.

Are you using the App Store version? That's never going to work. The Mac App Store sandbox adds a whole additional layer of security complexity. The only way a Mac App Store app would work with a network volume is if you specifically used a standard file open dialog to open a file on the server. Automated tasks will never work. Plus, you've got the Java issues on top of everything else.

This server has had its software re-installed in Recovery mode and it's made no difference. So "reversing everything I've done" is mute.

No. It's very important. I didn't say it was going to fix anything. I said that if you've followed various instructions from the internet circa 2009, you're going to totally scramble things. Then, when you find the correct solution, it won't work because you've scrambled things in some other way.

I don't know what you mean by "software re-installed in Recovery mode". Did you wipe the hard drive and rebuild it from scratch? Or did you just reinstall the operating system or some 3rd party software. Reinstallation of any software usually has no effect on anything.

I am leaning towards the Security settings on the Mac mini and the iMac, SIP.

Don't lean too far. You'll fall into a rabbit hole from which you'll never get out.

However a user should be allowed to override these settings using the commands available.

A user can. You have already demonstrated your ability to perform this move using the commands available. Your problem is that you are trying to do it with some crazy Java apps, maybe even in the Mac Store. That's just not going to happen.

It could also be something addressable using Directory Utility but that is really beyond my ability today.

That's an ancient tool that is only going to cause more problems.

@etresoft I do appreciate your efforts but the way you've addressed me is inflammatory. I am not clear on how moderators allow such insinuations and inflammatory responses from top contributors and leave their posts unmoderated.

What's the big deal? You're anonymous - "johnnyjackhammer". Who cares if you are using a media piracy app? I don't. I'm here to help people and get them out of problems. This Java app is the source of your problem. I'm trying to keep you from creating bigger problems. If you start over by explaining what you are trying to do, at a high level, you'll make a lot more progress. Until then, there's really nothing you, or anyone on this site, can do.

Reply

Answer 7

Oct 26, 2023 8:17 PM in response to johnnyjackhammer

What’s in the ACL?

% ls -ale@ /Volumes/PlexMedia_1 
% ls -ale@ /Volumes/PlexMedia_2

Reply

Answer 8

Oct 26, 2023 9:27 PM in response to johnnyjackhammer

It appears .DS_Store holds information on the permissions I added to the mounted volume while it was mounted. Removing it caused the permissions to change (for the worse) on the next mount.

Reply

Answer 9

tomfcgv

Level 1

8 points

Nov 6, 2023 4:22 AM in response to johnnyjackhammer

مفقوده

Reply

smb share is not writeable even with 777 permissions and umask 777

Similar questions